SetNamedSecurityInfo running under SYSTEM account

• Previous message: Richard Grossman: "Re: How to exchange certificate ?"
• Next in thread: System: "Re: SetNamedSecurityInfo running under SYSTEM account"
• Reply: System: "Re: SetNamedSecurityInfo running under SYSTEM account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 12 Jan 2004 12:17:00 +0100

Hi!

I am using SetNamedSecurityInfo to set both the dacl and sacl of a
directory. I have tested my code under the admin account and it works but
when I run it from our (msi) setup under the local system account there is
something odd. When setting the SACL, SetNamedSecurityInfo returns error
1314 (ERROR_PRIVILEGE_NOT_HELD) ..

I thought that the privs was enabled by default for Local System but it
dioes not seem the case ( I have tested it).

Anyway, In my code I explicitely enable the SE_SECURITY_NAME privilege.

for the record, I have also enabled SE_TAKE_OWNERSHIP_NAME for the dacl.

has anybody ever managed to use SetNamedSecurityInfo from the LocalSystem
account?

 // audit everyone
 ACL* sacl =0;
 DWORD lenSacl;

 lenSacl = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
            + GetLengthSid(worldSid) - sizeof(DWORD);

 sacl = (ACL *) malloc( lenSacl );
 InitializeAcl(sacl, lenSacl, ACL_REVISION);

 ACCESS_MASK m = GENERIC_WRITE | WRITE_OWNER | WRITE_DAC | DELETE;
 AddAuditAccessAce(sacl, ACL_REVISION, m, worldSid, TRUE, TRUE);

 secinfo = SACL_SECURITY_INFORMATION | PROTECTED_SACL_SECURITY_INFORMATION ;
 EnableTokenPrivilege(msi, SE_SECURITY_NAME);

 rc = SetNamedSecurityInfo( mydir, SE_FILE_OBJECT, secinfo, 0, 0, 0, sacl );

rc is ERROR_PRIVILEGE_NOT_HELD !!

Thanks.

• Previous message: Richard Grossman: "Re: How to exchange certificate ?"
• Next in thread: System: "Re: SetNamedSecurityInfo running under SYSTEM account"
• Reply: System: "Re: SetNamedSecurityInfo running under SYSTEM account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]